• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Shibboleth authentication with LDAP

Enthusiast ,
Jan 19, 2016 Jan 19, 2016

Copy link to clipboard

Copied

I'm running into "Internal Server Error" when trying to authenticate using shibboleth with LDAP. Here's the ColdFusion error.

Element MYSITESHIBBOLETH.USERNAME is undefined in SESSION. The specific sequence of files included or processed is: \\commonspotshare.mysite.com\commonspot$\TEST\test.mysite.com\authenticate.cfm, line: 32

And here's the authenicate.cfm file line 32.

mysiteShibboleth.png

Views

1.2K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Enthusiast , Jan 20, 2016 Jan 20, 2016

Okay, I got it to work. I need to use reReplace() to extract out the part that I need so that the cfif work and the session get set.

<cfset cgiReferer = reReplace(#cgi.httP_REFERER#, "[\?;].+", "\1") />

<!--- if shibboleth sent us here, remember the data it gave us--->

<!---<cfif cgi.http_referer eq shibboleth_url>--->

<cfif cgiReferer eq shibboleth_url>

  <cfscript>

  session.testShibboleth = StructNew();

  session.testShibboleth.username=REReplace(http_header.headers.eppn, "@test.com","","ALL");

  ses

...

Votes

Translate

Translate
Advocate ,
Jan 19, 2016 Jan 19, 2016

Copy link to clipboard

Copied

Add <cfdump var="#session.mysiteShibboleth#> on line 30 and see what result you get.

My guess is that the struct does not contain "username".

Cheers

Eddie

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 19, 2016 Jan 19, 2016

Copy link to clipboard

Copied

There is no dump on the browser but this is the error I got in the ColdFusion error log.

"Error","ajp-bio-8013-exec-1","01/19/16","12:47:32",,"Invalid CFML construct found on line 30 at column 44.ColdFusion was looking at the following text:<p>\""</p><p>The CFML compiler was processing:<ul><li>An expression that began on line 30, column 22.<br>The expression might be missing an ending #, for example, #expr instead of #expr#.<li>The tag attribute var, on line 30, column 17.<li>A cfdump tag beginning on line 30, column 10.<li>A cfdump tag beginning on line 30, column 10.</ul> The specific sequence of files included or processed is: \\commonspotshare.mysite.com\commonspot$\TEST\test.mysite.com\authenticate.cfm, line: 30 "

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jan 19, 2016 Jan 19, 2016

Copy link to clipboard

Copied

I failed to close the var attribute's quote in my post and the Web interface is not allowing me to edit the post. Check your syntax, it should be as follows:

<cfdump var="#session.mysiteShibboleth#">

Cheers

Eddie

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 19, 2016 Jan 19, 2016

Copy link to clipboard

Copied

I would still have the same error.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jan 19, 2016 Jan 19, 2016

Copy link to clipboard

Copied

I believe that the issue is because you are using CFIF instead of CFSWITCH.  In a CFIF conditional, the server processes ALL conditions, then inserts into the process whichever condition is correct.  Even though the conditional is IF this exists, run this, if this doesn't exist, the code is still run, just not used.

Change your conditional to a CFSWITCH/CFCASE - the server will run only the correct code.

HTH,

^_^

BTW.. you don't need hashmarks if the variable isn't inside quotation marks as a string, and it's not being used for display.  So..

<cfset session.mysiteshibboleth.username = "mysite" & #session.mysiteshibboleth.username#>

.. you can remove the hashmarks from this as the variable isn't being output and it's not part of a string.  Now, the following would require hashmarks.

<cfset session.mysiteshibboleth.username = "mysite#session.mysiteshibboleth.username#">

Because the variable is contained within a string.

Using hashmarks in the first example can slow down processing.

HTH

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jan 19, 2016 Jan 19, 2016

Copy link to clipboard

Copied

2Charlie wrote:

I would still have the same error.

Please post your code as it is now.

Cheers

Eddie

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 19, 2016 Jan 19, 2016

Copy link to clipboard

Copied

Here is the whole thing in the authenticate.cfm file.

<cfparam name="Session.mysiteShibboleth" default="">

<cfparam name="http_header" default="#GetHttpRequestData()#">

<!--- determine what the referer should be from shibboleth depending on what server we're on--->

<cfif request.env eq "production">

  <cfset shibboleth_url = "https://login.mysite.com/idp/profile/SAML2/Redirect/SSO">

<cfelse>

  <cfset shibboleth_url = "https://logintest.mysite.com/idp/profile/SAML2/Redirect/SSO">

</cfif>

<!--- if shibboleth sent us here, remember the data it gave us--->

<cfif cgi.http_referer eq shibboleth_url>

  <cfscript>

  session.mysiteShibboleth = StructNew();

  session.mysiteShibboleth.username=REReplace(http_header.headers.eppn, "@mysite.com","","ALL");

  session.mysiteShibboleth.mail=http_header.headers.eppn;

  session.mysiteShibboleth.groups=ArrayToList(REMatch('WEB\.[A-Z.-]+', http_header.headers.member));

  session.mysiteShibboleth.isAuthenticated="true";

  </cfscript>

</cfif>

<!---<cflog text = "CGI-log: #cgi.http_referer#" type = "information" file = "CGI-Log">--->

<!--- if we have shibboleth info, log in to commonspot with that--->

<cfif StructKeyExists(Session, "mysiteShibboleth") >

<!---<cflog text = "Session Name: #session.mysiteShibboleth#" type = "information" file = "Session">--->

  <!--- //Checking if username is numeric --->

  <cfif IsNumeric(Mid(session.mysiteShibboleth.username, 1, 1))>

  <cfset session.mysiteShibboleth.username = "mysite" & #session.mysiteShibboleth.username#>

  </cfif>

  <cflog text = "User Name: #session.mysiteShibboleth.username#" type = "information" file = "userName">

  <!--- // authorize the user --->

  <cfmodule template="/commonspot/security/populate-user-struct.cfm"

  defaultUserID = "#session.mysiteShibboleth.username#"

  defaultGroupNames = "#session.mysiteShibboleth.groups#"

  defaultGroupIDs = ""

  additionalGroupNames = "#session.mysiteShibboleth.groups#">

  <!--- if this user is not marked as a "licensed contributor", mark them as such.--->

  <cfif session.user.LICENSEDCONTRIBUTOR eq 0>

  <cftry>

  <CFLOCK SCOPE="Session" TYPE="Exclusive" TIMEOUT="5" THROWONTIMEOUT="Yes">

  <cfquery DATASOURCE="#session.user.USERSDATASOURCE#" NAME="updateContributor">

    UPDATE Users

    SET LicensedContributor = '1'

    WHERE ID = #session.user.id#

  </cfquery>

  <cfset session.user.LicensedContributor = "1">

  </CFLOCK>

  <cfcatch>

  <cfoutput>Error in /authenticate.cfm: An error occurred while trying to log in. Please try again.</cfoutput>

  </cfcatch>

  </cftry>

  </cfif>

  <!---we are now logged in, so redirect somewhere--->

  <cfif session.preAuthUrl eq "">

  <!---not sure where we came from, so redirect to the homepage--->

  <cflocation url="/" addtoken="no">

  <cfelse>

  <cfif session.preAuthUrl contains "login=1">

  <cfif tmp eq "">

  <cflocation url="/" addtoken="no">

  <cfelse>

  <cflocation url="#tmp#" addtoken="no">

  </cfif>

  <cfelse>

  <cfset tmp=ReReplace(session.preAuthUrl, "^.+\.mysite\.com", "")>

  <cflocation url="#request.author_url##tmp#" addtoken="no">

  </cfif>

  </cfif>

</cfif>

<!---go back to wherever we came from--->

<cflocation url="#cgi.http_referer#" addtoken="no">

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 19, 2016 Jan 19, 2016

Copy link to clipboard

Copied

Right now it seemed that cgi.http_referer do not equal shibboleth_url that is why the session was not set. In the cgi.http_referer it seemed there are a bunch of characters code are added to it as shown in a couple of my posts above. I have to figure out a way to extract those extra codes out.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 20, 2016 Jan 20, 2016

Copy link to clipboard

Copied

Okay, so how do I remove everything after the SSO in the following cgi.http_referer?

https://logintest.mysite.com/idp/profile/SAML2/Redirect/SSO;jsessionid=BD14DA537857266CDDE34FC153683...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jan 20, 2016 Jan 20, 2016

Copy link to clipboard

Copied

LATEST

Okay, I got it to work. I need to use reReplace() to extract out the part that I need so that the cfif work and the session get set.

<cfset cgiReferer = reReplace(#cgi.httP_REFERER#, "[\?;].+", "\1") />

<!--- if shibboleth sent us here, remember the data it gave us--->

<!---<cfif cgi.http_referer eq shibboleth_url>--->

<cfif cgiReferer eq shibboleth_url>

  <cfscript>

  session.testShibboleth = StructNew();

  session.testShibboleth.username=REReplace(http_header.headers.eppn, "@test.com","","ALL");

  session.testShibboleth.mail=http_header.headers.eppn;

  session.testShibboleth.groups=ArrayToList(REMatch('WEB\.[A-Z.-]+', http_header.headers.member));

  session.testShibboleth.isAuthenticated="true";

  </cfscript>

</cfif>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation